Rootkits shot to prominence and infamy in October 2005, when it was revealed that certain Sony Music CDs came with a program that, in order to limit copying, silently loaded itself onto your PC when you inserted the disc. Before long, Sony had a whole omelette's worth of egg on its face, and the word rootkit had entered the vocabulary of millions of PC users.

While the rootkit concept is now widely known, rootkit detection software is less so, making it worth taking a look at what's available. Many antivirus and security software manufacturers have since added at least some rudimentary level of rootkit detection to their products, but there are a number of free, standalone rootkit detection tools.

This article examines six of the more prevalent ones. To test them, I scanned a system for three well-known rootkits: Fu or FuTo, which can "stealth" any process; the AFX Windows Rootkit 2003, which can hide processes and folders from the system; and Vanquish, which uses a slightly different concealment mechanism from AFX. I considered what information they returned about the detected programs, the actions end users could take, and how often each program was updated.

How They Work
The detectors typically compare different views of the system and see where there's a mismatch. One of the original ways to do this was to dump a complete list of all the files on the volume while inside the operating system, boot to the Recovery Console and dump another file list, then compare the two. If a file shows up in the second list but not in the first and isn't a Windows file kept hidden by default, it's probably a culprit. More recent rootkit detectors use variations on this scheme that don't require exiting the operating system to get usable results.

For the most part, these programs are for advanced- to expert-level users. They don't always distinguish between false positives--such as files hidden by the operating system deliberately--and real rootkits. They come with no warranty and some, such as Trend Micro's product, have their core technologies available in a far more user-friendly commercial version. But for those ready to brave them, here are six options to consider.

F-Secure BlackLight
F-Secure BlackLight was one of the first widely used rootkit scanners (aside from RootkitRevealer), and now its scanning technology is being rolled into F-Secure Internet Security 2006.

One thing F-Secure has that few other rootkit detectors do is detailed documentation and usage instructions. Even if these programs are meant to be expert-level tools, it's always good to have something more to refer to than just the program's own prompts. Its detection system seems quite scrupulous; it caught a process hidden by the Fu rootkit and tracked down the other two rootkits.

IceSword
IceSword has gained a measure of fame as one of the most powerful and thorough rootkit detectors out there. But it's also one of the toughest to find. Its creator, a Chinese-speaking programmer known as pjf_, offers the program through his Web site, but since the link is excruciatingly slow the application has since been mirrored by many free download sites, such as MajorGeeks .com. It's been issued in English, but the help files are only in Chinese.

IceSword also has been updated pretty consistently--multiple 1.x editions have appeared throughout 2006--and pjf_ has been quoted as saying he will continue to update and offer new versions as different rootkits emerge. There are a number of small but elegant touches throughout the 1.20 version, aimed at the experts the program is intended for.

RKDetector
RKDetector 2.0 is actually two applications: one to scan for hidden files on a hard drive and another to scan for hidden processes and kernel hooks. It's a little more difficult to do a comprehensive scan this way, though, since you have to do each scan action separately and there's no way to get a comprehensive report. The individual result reports aren't hard to make sense of and act on, but the program's usefulness is overshadowed by some of the other applications discussed here.

Trend Micro RootkitBuster<
One thing I've always liked about Trend Micro is how it makes bits of its commercial products available as freebies. Trend Micro has excerpted the rootkit detection technology from its commercial Internet Security 2007 product and made it available as a standalone tool. Documentation is essentially nonexistent, and it's very hard to tell how regularly the product has been updated, but I suspect that goes hand in hand with its being a freebie. RootkitBuster 1.6 does a good job of detecting and cleaning, though--it caught processes hidden by the Fu rootkit and found the other two test rootkits quite completely.

RootkitRevealer
RootkitRevealer was one of the very first rootkit detection tools, courtesy of the ever-overachieving Mark Russinovich and Bryce Cogswell of Winternals (now part of Microsoft).

RKR 1.71's documentation indicates it's not designed to detect rootkits that cloak themselves in memory only, such as Fu (which it didn't detect at all). It checks to see if something is attempting to conceal itself in the file system or Registry, so in that respect it's limited. It did detect signs of the other two rootkits, though, so as a quick-and-dirty first line of defense it's not bad. For more comprehensive scanning, and the ability to click-and-delete a rootkit, there are definitely better tools available.

Rootkit Unhooker
Rootkit Unhooker is the product of a Russian programming team, and version 3.0 is one of the better, more comprehensive programs I looked at. That means it's also more sophisticated, but the programmers have been thoughtful enough to make it possible to produce an overview of all the scanned areas of the system in one report.

The full report is a bit wordy but makes it unambiguously clear if there's a chance you have a rootkit hiding somewhere--and where it might be hiding, as well. I was able to detect the presence of all three test rootkits without trouble.

Decision Time
Rootkit detection tools break down into two basic categories:

Professionally written tools marketed to get people to buy a full commercial product

For me, it was one of the independent tools--Rootkit Unhooker --that turned out to be the best. The big vendors, however, won't likely see them as competition, since the indie-written tools clearly are meant for pros.

If rootkits proliferate and become as difficult to detect as is predicted to happen, it will be strong incentive for the major security software makers to market their own products. But it also will be an incentive for the indies to continue to write and update their tools for their own market.

Welcome to
TechWeb, the IT professional's online resource for news coverage of the
information technology industry. We know technology news. Our mobile
and wireless news coverage moves as fast as wireless technology itself.
We follow all the devices you depend on to stay connected. Our software
coverage follows the multi-faceted software industry from every angle.
We've got a lock on network security and computer security issues.
We're all over the business of the Web--the Internet business--and the
engines that run it. We have our eyes and ears tuned to the players who
make and run the tools that tie us all together--Google, Microsoft,
eBay, Cisco, Yahoo, Oracle, Apple, Sony--and scores of others. And we
keep close tabs on the backbone of information technology, PC hardware.
We know PCs and Apple computers inside and out. We cover computer
technology, computer news, software news, search engine news, business
software, operating systems, and software development. Our coverage of
tech news includes a strong focus on the security business, its
attendant spyware and viruses, how security relates to wireless
technology and business networking and the security issues surrounding
RFID technology. We closely follow developments in Internet news and
Internet technology, including the spread of broadband and its effect
on Web browsers and the Web business. We watch the VoIP business, and
how VoIP technology is affecting the state of telephony in the
enterprise. And if all that isn't enough, we also track developments in
the IT industry that affect IT jobs, IT careers, and outsourcing.